I think this could go into a new plugin similar to https://github.com/matomo-org/matomo/issues/16794 . The plugin could be called like "TrackingSpamProtection" or similar. Could include this in core or on the marketplace.
A new UI system setting be great that lets you configure a max number of actions per visit. By default unlimited actions would be allowed. If the plugin is installed through the marketplace we could maybe set a max value of 500 or so.
The thought is that for most websites it's unrealistic that say more than 100 actions per visit are performed (or more than 50 or more than 500 ...). To prevent spammers sending hundreds or thousands of requests for one visit, we would ignore any new tracking request once the configured limit has been reached. It should be as easy as comparing configured value with
visit_total_actions and be very fast.
As a result if a spamming attack happens, the DB will need less resources plus the data is not as messed up.
It should also be possible to have this setting set to "unlimited" actions per visit. We don't need to have this setting for now per site. We can always do this later (yes ideally it was per site). We should in the note mention though that this setting applies to all sites.